{ lib, pkgs, ... }:
let
  inherit (import ./ssh-keys.nix pkgs) snakeOilPrivateKey snakeOilPublicKey;
in
{
  name = "locate";
  meta.maintainers = with pkgs.lib.maintainers; [ chkno ];

  nodes = {
    a = {
      environment.systemPackages = with pkgs; [ sshfs ];
      virtualisation.fileSystems = {
        "/ssh" = {
          device = "alice@b:/";
          fsType = "fuse.sshfs";
          options = [
            "allow_other"
            "IdentityFile=/privkey"
            "noauto"
            "StrictHostKeyChecking=no"
            "UserKnownHostsFile=/dev/null"
          ];
        };
      };
      services.locate = {
        enable = true;
        interval = "*:*:0/5";
      };
    };
    b = {
      services.openssh.enable = true;
      users.users.alice = {
        isNormalUser = true;
        openssh.authorizedKeys.keys = [ snakeOilPublicKey ];
      };
    };
  };

  testScript = ''
    start_all()

    # Set up sshfs mount
    a.succeed(
        "(umask 077; cat ${snakeOilPrivateKey} > /privkey)"
    )
    b.succeed("touch /file-on-b-machine")
    b.wait_for_open_port(22)
    a.succeed("mkdir /ssh")
    a.succeed("mount /ssh")

    # Core locatedb functionality
    a.succeed("touch /file-on-a-machine-1")
    a.wait_for_file("/var/cache/locatedb")
    a.wait_until_succeeds("locate file-on-a-machine-1")

    # Wait for a second update to make sure we're using a locatedb from a run
    # that began after the sshfs mount
    a.succeed("touch /file-on-a-machine-2")
    a.wait_until_succeeds("locate file-on-a-machine-2")

    # We shouldn't be able to see files on the other machine
    a.fail("locate file-on-b-machine")
  '';
}
